A Java deserialization bug in Cisco's Access Control System and a hardcoded SSH password in Prime Collaboration Provisioning software can both be exploited to gain root access. Patch now.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Cisco has released news of two critical flaws in its Access Control System and Prime Collaboration Provisioning software. Both can lead to a remote attacker gaining root access.
- Both flawed products are no longer available from Cisco but are under support. This should serve as a reminder that end-of-lifed products don't always receive updates and should be in line for replacements before they become security risks.
A long list of Cisco patches released today contain fixes for two critical flaws in software that, while no longer sold by Cisco, is still being supported.
The first concerns the Cisco Secure Access Control System (ACS), which is no longer available for purchase as of August 2017. It is vulnerable to a Java deserialization attack that could allow a remote attacker to gain root access to an ACS by sending a crafted serialized Java object. The flaw affects all versions of ACS software prior to release 5.8 patch 9.
The second affects Cisco's Prime Collaboration Provisioning (PCP) software but is only applicable to version 11.6. The flaw in this case is a hard-coded SSH password that can be used to gain root access.
Java serialization and deserialization is a process by which large chunks of complex Java code are broken down into byte-sized pieces to make them easier to send over a network. Breaking Java down into bytes is the serialization part of the process, and deserialization is the act of putting it back together at the receiving end.
The deserialization attack is a result of a flaw in how some apps handle deserialization: They don't verify the code before reassembling it, allowing an attacker to insert malicious code or send their own to a vulnerable app. Such is the case with the Cisco ACS.
The bigger lesson
Critical flaws and patches to fix them are an everyday occurrence in the tech industry. What makes these two special is that they're for software and equipment that's already been end-of-lifed by Cisco.
Support for the two will end in 2020, which is closer than you may think, especially in the purchase and deployment cycle of major products like the ACS and PCP.
SEE: Hardware decommissioning policy (Tech Pro Research)
Whenever a company announces the end of a product's life cycle it's time to start considering what's going to be done to replace it, even if support won't be ended for several years. The last thing you want is an old, unsupported product with a major security flaw on your hands.
In some cases companies will dust off old code and issue a fix, as Microsoft did to patch Windows XP against WannaCry, but that's anything but typical. If you own a Cisco ACS or use Cisco PCP it's time to start thinking about the future.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- Cisco: You need to patch our security devices again for dangerous ASA VPN bug (ZDNet)
- 6 important security takeaways from applying Spectre and Meltdown patches (TechRepublic)
- Microsoft says older Windows versions will face greatest performance hits after Meltdown, Spectre patches (ZDNet)
- 7 tips for effectively rolling out emergency patches (TechRepublic)